git-secure-export

Experimental tooling for encrypting the git-fast-export(1) output

git clone https://git.8pit.net/git-secure-export.git

 1# git-secure-export
 2
 3Experimental tooling for encrypting the `git-fast-export(1)` output.
 4
 5## Description
 6
 7This repository provides `git-secure-export`, a postprocessor for
 8`git-fast-export(1)` which encrypts file and commit message data of
 9exported git repositories. Additionally, `git-secure-import` is provided
10which acts as a preprocessor for `git-fast-import(1)` and allows
11importing a previously encrypted `git-fast-export(1)` output.
12
13Based on these two programs, two very hacky shell scripts were written
14which implement an ssh-based git remote helper (refer to
15`gitremote-helpers(7)`) for encrypting repository on the remote. The
16setup requires access to the remote server for installing a custom
17script and thus does not work with GitHub or other hosted Git solutions.
18
19## Status
20
21Proof of concept, largely untested and very buggy.
22
23## Security
24
25The code uses [secretbox][secretbox doc] for symmetric encryption and
26authentication of file contents and commit messages. The symmetric key
27is stored in `.git/git-secure-key`, the file must be created explicitly
28using `git-secure-init`. Encryption of file names is also being
29considered but would likely require a separate deterministic encryption
30scheme or some kind of local database.
31
32## Installation
33
34To install run:
35
36	$ go get github.com/nmeum/git-secure-export/cmd/...
37
38If you want to use the remote helper also install the scripts from the
39`contrib/` directory. Refer to `contrib/README.md` for more information
40on these scripts.
41
42## Usage
43
44The software requires the creation of a symmetric key this key must be
45created explicitly by invoking `git secure-init` in an existing git
46repository. Afterwards `git-secure-export` can be used in combination
47with `git-fast-export(1)` as follows:
48
49	$ git fast-export <options> | git secure-export | \
50		git secure-import | git fast-import
51
52Of cause it would be more meaningful to write the output of
53`git-secure-export` to a file, using an output redirection, and passing
54it to `git-secure-import`, using an input redirection, on a different
55computer. Though this use-case would require copying the symmetric key.
56
57## See also
58
59Existing tooling which encrypts single files in a git repository:
60
61* https://github.com/elasticdog/transcrypt
62* https://github.com/StackExchange/blackbox
63* https://github.com/AGWA/git-crypt
64
65Existing tooling which encrypts entire git repositories:
66
67* https://github.com/spwhitton/git-remote-gcrypt
68* https://github.com/rovaughn/git-remote-grave
69
70## License
71
72This program is free software: you can redistribute it and/or modify it
73under the terms of the GNU General Public License as published by the
74Free Software Foundation, either version 3 of the License, or (at your
75option) any later version.
76
77This program is distributed in the hope that it will be useful, but
78WITHOUT ANY WARRANTY; without even the implied warranty of
79MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
80Public License for more details.
81
82You should have received a copy of the GNU General Public License along
83with this program. If not, see <http://www.gnu.org/licenses/>.
84
85[secretbox doc]: https://pkg.go.dev/golang.org/x/crypto/nacl/secretbox